ClickFix Phishing Campaign Targets Mexican Bank Customers With Fake Google Verification
Key Takeaways A new phishing campaign, dubbed REF6045, is actively targeting Mexican bank customers using a fake Google verification page. The attackers employ the ClickFix technique, tricking...
Key Takeaways
- A new phishing campaign, dubbed REF6045, is actively targeting Mexican bank customers using a fake Google verification page.
- The attackers employ the ClickFix technique, tricking victims into executing a command that installs the SCMBANKER malware.
- SCMBANKER is designed for real-time banking fraud, allowing human operators to monitor sessions, redirect users, and steal financial data.
- The campaign targets a wide range of financial services within Mexico, including retail banks, fintech, and cryptocurrency exchanges.
- Attackers are leveraging open-source tools and potentially Large Language Models (LLMs) to construct their malware, reducing the need for advanced coding skills.
Sophisticated Phishing Leverages Fake Google Verification for Banking Fraud
A new and highly interactive phishing campaign, identified as REF6045, is actively compromising Mexican bank customers through a deceptive Google verification page. This operation deploys a specialized malware toolkit, named SCMBANKER, which is engineered not merely for data exfiltration but for direct, operator-assisted financial fraud.
Table Of Content
The campaign employs a well-known tactic, often referred to as “ClickFix,” where unsuspecting victims are socially engineered into copying and executing a malicious command. This seemingly innocuous action initiates a multi-stage infection process, granting attackers significant control over the compromised system. Once established, the threat actors can monitor banking sessions, manipulate user interactions, and redirect victims towards fraudulent phone scams or additional phishing sites.
This operation is particularly notable due to the presence of a human operator who dynamically assesses each victim’s session and escalates the attack as opportunities for financial exploitation arise. The SCMBANKER malware family itself has been traced back to at least October 2025, with Elastic telemetry first detecting active infections in June 2026. The scope of its targeting within Mexico’s financial sector is extensive, encompassing traditional retail banks, business banking platforms, various fintech services, payment processors, cryptocurrency exchanges, investment platforms, SAT services, and even telecommunication providers.
Elastic Security Labs researchers were the first to identify and detail this campaign. In a report shared with Cyber Security News (CSN), Elastic stated that the attackers utilize the fake verification pages to install their toolkit, subsequently transforming infected machines into conduits for real-time financial abuse. While the initial infection vector may appear unsophisticated, the overall campaign is meticulously designed for rapid monetization once a target accesses a valuable financial service.
Operator-Assisted Fraud and Malware Capabilities
A distinguishing characteristic of the REF6045 campaign is the high degree of post-compromise control maintained by the attackers. Their capabilities extend beyond passive data collection, allowing them to:
- Capture screenshots of the victim’s desktop.
- Force browser redirects to malicious phishing pages.
- Implement “vishing” overlays, prompting victims to call fraudulent support numbers.
- Hijack the clipboard to replace legitimate payment details with attacker-controlled accounts.
- Lock the victim’s screen with fake security warnings.
- Deploy commercial remote access tools for complete hands-on control of the infected system.
Elastic’s analysis also revealed evidence suggesting that large language models (LLMs) may have been used to generate significant portions of the malware’s code. This indicates a trend where cybercriminals are leveraging AI to lower the barrier to entry for developing sophisticated features without requiring extensive programming expertise.
The Infection Chain: From Fake CAPTCHA to Full Compromise
The attack commences with a fraudulent CAPTCHA or verification page, often presented in Spanish and mimicking legitimate Google security prompts. After successfully navigating this deceptive challenge, the page automatically copies a malicious command to the victim’s clipboard. This command, when executed by the victim, downloads and pipes a first-stage script directly into the Windows command shell.
The initial script then triggers a fake Windows Update screen, designed to pressure the victim into granting administrator privileges. During this process, the mouse cursor is temporarily trapped, preventing user interaction. Concurrently, the bitsadmin utility is used to download the full SCMBANKER toolkit into the public user directory, completing the initial infection.
Elastic identified multiple related delivery sites and file servers exhibiting identical patterns, suggesting the reuse of the same attack infrastructure across various deployments. Furthermore, the attackers demonstrated poor operational security, with exposed directories, a leaked web root archive, and an unauthenticated editor linked to live targeting files. This oversight provides valuable intelligence for defenders.
For cybersecurity professionals, these findings underscore the importance of vigilant monitoring for unusual PowerShell activity, bitsadmin downloads, suspicious usage of Windows Run, and scripts originating from atypical directories. These indicators can signal an early stage of compromise before the financial fraud begins. Crucially, user education remains a vital defense, as the entire attack hinges on the victim’s willingness to trust and manually execute the malicious prompt.
What You Should Do
- Educate Users: Conduct regular training on phishing awareness, emphasizing the dangers of executing unknown commands or clicking suspicious links, even those disguised as legitimate security prompts.
- Monitor PowerShell Activity: Implement robust monitoring for suspicious PowerShell commands, especially those involving downloads or unusual script execution.
- Detect Bitsadmin Usage: Watch for instances of
bitsadminbeing used to download files from external sources, particularly to sensitive directories. - Scrutinize Windows Run and Script Execution: Monitor for unusual commands executed via Windows Run and scripts launched from non-standard user directories.
- Implement DNS Filtering: Block access to known malicious domains and IP addresses associated with the REF6045 campaign, including those listed in the IoCs below.
- Deploy Endpoint Detection and Response (EDR): Utilize EDR solutions to detect and prevent the execution of malicious components and to identify post-compromise activities like screenshot capture or remote access tool deployment.
Indicators of compromise (IoCs):-



No Comment! Be the first one.